Improvements in closest point search based on dual HKZ-bases. * 



Urs Wagner and Gerard Maze 

e-mail: {urs.wagner,gmaze}@math.uzh.ch 
Mathematics Institute 
University of Zurich 
Winterthurerstr 190, CH-8057 Zurich, Switzerland 

January 26, 2012 



Abstract 

In this paper we review the technique to solve the CVP based on dual HKZ-bases by J. Blomer [4]. 
The technique is based on the transference theorems given by Banaszczyk [3| which imply some necessary 
conditions on the coefficients of the closest vectors with respect to a basis whose dual is HKZ reduced. 
Recursively, starting with the last coefficient, intervals of length i can be derived for the ith coefficient of 
any closest vector. This leads to n! candidates for closest vectors. In this paper we refine the necessary 
conditions derived from the transference theorems, giving an exponential reduction of the number of 
candidates. The improvement is due to the fact that the lengths of the intervals are not independent. In 
the original algorithm the candidates for a coefficient pair (oj, fflj+i) correspond to the integer points in a 
rectangle of volume i ■ (i + 1). In our analysis we show that the candidates for (a^, cti+i) in fact lie in an 
ellipse with transverse and conjugate diameter i + 1, respectively i. This reduces the overall number of 
points to be enumerated by an exponential factor of about 0.886™. We further show how a choice of the 
coefficients (a n , . . . , a^+i) influences the interval from which ai can be chosen. Numerical computations 
show that these considerations allow to bound the number of points to be enumerated by n°' 75n for 
10 < n < 2000. Under the assumption that the Gaussian heuristic for the length of the shortest nonzero 
vector in a lattice is tight, this number can even be bounded by ^-n™/ 2 . 

Key Words: CVP, dual lattice, lattice problems, nearest point search 
Subject Classification: 68R05; 94A60 



1 Introduction 

The closest vector problem (CVP) is the problem of finding a closest lattice point of a given lattice C C M. n 
to an arbitrary point t in M. n . While the problem is proven to be NP-hard (see e.g. UDJ, algorithms exist 
to solve the problem approximately in polynomial time. Babai's nearest plane algorithm [2] is the generic 
way to get an approximate solution, and the quality of the solution substantially depends on the quality 
of the basis it is applied to. The algorithm recursively selects the nearest n — l,n — 2,...,0 dimensional 
plane spanned by the basis vectors. The more orthogonal the basis vectors are, the better the output of the 
algorithm. E.g. if the basis is LLL-reduced, the point found lies within 2(4/3)™/ 2 times the distance of a 
closest lattice point to t [TU] . If the basis vectors are even pairwise orthogonal (note that such a basis does 
not necessarily exist), it returns a closest vector. Babai's nearest plane algorithm can be modified to output 
an exact solution by not only considering the nearest, but all planes with distance up to a certain bound in 
the recursion steps. This is exactly the approach of Kannan [§]. Note that once a plane is fixed, the problem 
translates to finding a closest lattice point in a lower dimensional lattice, namely the orthogonal projection 
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of the lattice onto that plane. Clearly the number of planes to be considered in the lower dimensional lattice 
is dependent on the choice of the plane in the upper dimension which was realized by Pohst [5 a . So instead of 
looking at all points inside a parallelepiped, the points inside a hyperellipsoid are considered. The running 
time of Kannan's and Pohst's approach was proven to be 0(n n ) in the original considerations [S|. Recently, 
refined analysis by Hanrot and Stehle showed that applying Kannan's algorithm to a HKZ-basis the closest 
vectors can be found by enumerating 2°( Tl )n 5n points. A more elaborate survey on different methods to 
solve the problem exactly can be found in e.g. [T|. In [3], a different approach than the one of Kannan [5] is 
presented. The main difference is that the basis used for closest point search is dual HKZ reduced, e.g. it is 
a basis whose dual is HKZ reduced. Due to the special form of the basis, the transference theorems proven 
by Banaszczyk [3] can be used to bound the number of planes to be considered. In each recursion step the 
number of planes to be considered decreases by 1. Having n planes to consider in the first recursion step, 
this results in enumeration of n\ lattice points. Recently Micciancio gave an algorithm to solve the CVP in 
time 2°(") based on Voronoi cell computations [TT]. The caveat in this approach is the exponential space 
requirement, and it is not (yet) clear how this can be reduced. 

In this paper we give a refined analysis of the approach given in [4]. We show how the overall number 
of points to be enumerated can be decreased. While in the original algorithm the number of choices of 
the planes is bounded independently in each step, we examine how the choice of a plane in early recursion 
steps influences the possible number of choices in following steps. We show how to decrease the number of 
lattice points to be enumerated by an exponential factor (7r/4)™/ 2 by deriving how the choices of the planes 
in two neighboring recursion steps are connected. Further we derive a recursive formula (in the dimension 
of the lattice) for the number of points to be enumerated when the choices made in early recursion steps 
are rigorously used to constrain the further choices. A closed form approximation of this formula is still 
an open problem. However numerical computations show that this number can be bounded by n°' 75n for 
10 < n < 2000. Given that the shortest vector of the dual lattice satisfies the Gaussian heuristic, we show 
that this number can even be bounded by -^n n l' 1 . 

The paper is organized as follows. In Section [5] we give some background and introduce notation used 
throughout the paper. In Section [3] the original algorithm proposed in 3] is described and a motivation for 
further studies of it is given. In Section|4]we show how the running time can be sped up by a factor (7r/4)™/ 2 . 
In Section [5l a recursive formula bounding the number of points to be enumerated is derived and its behavior 
is analyzed. Section |6] shows how the bound on the number of points can even be further reduced under the 
assumption that the Gaussian Heuristic is tight. Finally in Section [71 Kannan's algorithm and the analysis 
by Hanrot and Stehle is quickly reviewed. Some concluding remarks are given in Section [5] 

2 Background and Notation 

Throughout the paper ||-|| denotes the euclidean norm. Let C be the discrete subgroup generated by integer 
linear combinations of k linearly independent vectors bi , . . . , bt in W 1 . We call C a lattice of rank k and 
dimension n. Given a lattice basis {&i, . . . , b n } of £ we will usually write it as rows of a matrix B in the 
following way 

B = [bi,...,b n ]. 

The lattice points in C are the integer linear combinations of the basis vectors, 

C = C{B) = {xB\x G Z™}. 

By B* = [b* , . . . , 6* ] we denote the usual Gram-Schmidt basis corresponding to B = [b\ ,...,&„] . And by 
7Ti we denote the orthogonal projection 

Tii : span (bi, . . . , b„) — > span(&i, . . . , h-i) 1 - 

Further with C :— C{b\, . . . ,b n ) we have that 

Ci := 7Ti(£) 

is again a lattice of rank n — i + I with basis {7Tj(6j), . . . , 7r„ (&„)}. 
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Definition 2.1 Given a lattice C C K™ the dual lattice C x is defined by 

C x := {v e K" : (v, w) eZVweC} 
There exist a unique dual basis B x for every basis B of C. 

Definition 2.2 Given a basis B = [bi, . . . ,bk] for a lattice C C 1™ of rank k, then B x = [&*, . . . , b£] is the 
reverse dual basis if and only if 

b x £ span (bi, . . . , b k ) and (b x , bj) = 8i,k-j+i 

From now on we will assume that the lattice has full rank, i.e. k = n. 

Remark 2.3 Given v = ui&i + • • • + v n b n € C, then 

Vi = (v, b x ^ l+1 ) 

is the i-th coordinate of v with respect to the basis B. 

The algorithm of this paper uses lattice bases of special form. 

Definition 2.4 A basis B = [b\, . . . ,b n ] of a lattice C{b\ 1 ... ,b n ) is called HKZ-basis if and only if it satisfies 
the following two conditions 

1' — \ f or 3 ^ * (size-reduced). 

2. The i-th Gram- Schmidt vector satisfies \b*\ — Xi(TTi(C)). 

Definition 2.5 A basis B = [b%, . . . , b n ] of a lattice C{b\, . . . , b n ) is called dual HKZ-basis when its reverse- 
dual basis B x = [b x , . . . ,b x ] is HKZ-reduced. 

Lemma 2.6 Let B = [b\, . . . ,b n ] a basis with dual basis B x = [b x , . . . , b x ] . Then the dual basis of 
[bu---,b n -j] equals [ttj + i(6* + i)> • • • > ^j+i(K )], n-l>j>0. 

Proof: We start by showing that iTj + i(b x ) £ span (bi, . . . , b n -j) for i > j+l. Clearly izj + \(bf ) € span . . . , b n ). 
Also 7rj + i (bf ) € span (b* , . . . , b x ) ± . Hence 

■K j+1 (b x ) € span(6i, ...,b n ) n span (6^ , . ••,6^)" L = span(&i, . . .,b n -j). 

It remains to show that (wj+i(bf ), bk) = 1 if k = n+l—i and (ifj+i (bf), bk) = 0iffc£ {1,..., n— j}\{n+l— i}. 
This is straightforward as with fc < n — j + 1 

(7T i+ i (b*), 6 fc ) = <6 i x ,6 fc ). 

□ 

This proves Lemma 1 in [4]: 

Lemma 2.7 If ...,&„] is a diiaZ HKZ-basis for £(&i, . . . , 6„) i/ien [b±, . . . , bk] is a dual HKZ-basis for 
C(bi,...,b k ), k=l,...,n. 

Clearly b* k £ span (b±,..., bk), and as (bi, = for i < k it follows that 

(^,6 fe ) = (6*,&*) = |6*.| 2 . 

So we have that t^W is the first basis vector of the basis dual to [bi, . . . , bk] ■ Hence we get the following 
corollary. 
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Corollary 2.8 jj^s is a shortest vector in C x {b\, ... ,b^) and jp-y = |Ai (C x (&i, bfc))|. Further in a dual 
HKZ-reduced basis B = [b\, . . . , & n ], ||K|| is maximal under all possible bases for the sublattice £(b\, . . . , bk). 

We will now state a theorem from the geometry of numbers by Banaszczyk (3J. First we need two definitions. 
Let fi(C) denote the covering radius of a lattice, i.e. 

n{C) := max min||:r — t||. 

tgspan (£) x£C 

Denote the set of all i-tuples of linearly independent lattice vectors as Vi- Then the i-th minimum Aj(£) of 
a lattice is defined as 

Xi(C) := min max||vj||. 

(l>i,...,Ui)£Vj l<i<i 

Theorem 2.9 (Transference Theorems) TTie successive minimas Xi(C) and covering radius fJ-(C) of a 
lattice C of rank n satisfy the following bounds 

1. A,(£) • A„_ i+ i(£ x ) < n, i = l,...,n, 

2. /i(£)-Ai(£ x ) < f. 

With Corollarv l2.8l we have that fx(C) ■ Xi(C x ) = ttprr so the second inequality in the Transference Theorems 
implies that 

ti£)<Z\K\\. (2.1) 

3 Original approach 

In this section we review the approach presented in [4]. Given a lattice C = £(b±, . . . , b n ) in R™ and a vector 
t € R", we want to find a vector v such that ||u — t\\ < ||iu — t\\ for all w € C. We assume that the basis 
B = [b%, . . . , b n ] is dual HKZ reduced. 

1. e = e\b* + ■ • • + e n 6* = t — v denotes the error vector, 

2. ew := e — e j'^J ^ s the orthogonal projection of the error vector onto span (pi, . . . , bi). 

3. /i^ denotes the covering radius of C(b\, . . . , bi), 

4. A? W := Ax(£ x (61 &;))■ 

So suppose u = ci&i + ■ • • + c„6„, € Z is a closest vector to t = t\b\ H 1- t n b n , ti € R. With (|2.ip we get 

II«-*II<m(£)<|ii&;ii, 

and as (c„ - i„) 2 ||&*J| 2 < ||v-£|| 2 < (f f \K\\ 2 we have 

1 1 n 

I ^ n I — ^ • 

Hence we get an interval of length n for the n-th coordinate c„ of v. 

c n £[t n -n/2,t n + n/2}. (3.2) 

As c„ £ Z we can enumerate n values for c n . Note that for the orthogonal projection i'™ -1 ) of t — c n b n onto 
span (61, ... , 6 n _i) we have 

t (n ~ 1] -t~cb ^— Cnbn > b *>\ * -+ c h _( t - c )b* 

and hence (t„ — c„) = e n . The following lemma [4] allows to recursively carry the problem to proper 
sublattices of C in order to derive corresponding bounds for the other coordinates of v. 
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Lemma 3.1 A vector w € . . . , b{) is a closest vector to t — Yljyj x j°j, Xj G Z if and only if w is a 

closest vector of the orthogonal projection v^' of t — Ylj>i x jbj onto span (pi, . . . , bi). 

So given a+i,...,c n and ej+i,...,e n the problem reduces to finding the closest vector to = t — 
S_y=i+i « c i^j — Ej=i+i n e J^i m * ne lattice £(61, . . . , 6j) of rank i. As by Lemma 12.71 . . . , 6,] is 
a dual HKZ basis for C(bi, . . . , we can recursively take the problem to a lower dimension. In dimension 

i = 1, € span(6i) and we set c\ = l ^h^y- ] an d ei — ^fbiM) ~ L %I^^ "I ^ n 0T( ^ ei to S e t the closest 
lattice vector in C(b\) to it 1 '. In fact 

n n 

r 1 ^ — ci&i — ei6^ = t — 22 c jbj ~ ^ = 0> 

2=1 2=1 

assuring that we get a valid pair of vectors v € £ and error e € K n in the sense that v + e = t. Hence we 
have the following lemma: 

Lemma 3.2 Recursively we can derive n\ candidates for a closest vector to t in £ given a dual HKZ-basis 
for C. 

We will now give a short motivation for further analysis. The algorithm and the corresponding bound is 
not optimized at all. Suppose the n-th coordinate e„ of the error vector equals 5. Clearly we have the 
following inequality § = mr§k = ll e ll TT^TT C0S 7- As I Ml — with Equation (|2.1[) wc get § < § cos 7. 

Consequently 7 = which means that the error vector points exactly in the direction of b* n . So the error 
vector can be written as multiple of 6* and the coefficients ei, . . . , e n -i are trivially zero. In the next section 
wc will sec how the value of influences the interval length in which ej_i lies. 



4 First Improvement 

Given the same problem and notation as in Section [3j let us consider the following set 
T n := j( ei ,...,e„) 6 1" : v = t- J2 e i b j e C and M ^ { J • 

In the last section we have seen how all elements of this set can be enumerated recursively and that due to the 
dual HKZ reducedness of B in fact all closest vectors to t are in the set {t — Y^j=i e j b j '■ ( e ii • • • i e «) e T n }. 
Further in each recursion step the value + Ci is given and as Ci is an integer, the condition |e»| < | implies 
i possible values for e^. So |T„| is upper bounded by n\. 

The goal of this section is to define a subset T' n C T„ still having the property that all closest vectors to 
t are in the set {t — Y^j=i e j b j '■ ( e i> • • • j e «) e ^nl- We will now show how additional constraints on the e^'s 
can be derived. Recall that the condition |e<| < | comes from the fact that ||eW|| < fj,^ < where the 

second inequality is due to the dual HKZ reducedness of the basis. This implies ||ej6||| < \\e^'\\ < fjy> < 
lll&lll and consequently | e»] < |. However \\e^\\ < /i*- 4 - 1 is not the only bound on ||e^|| we have. Clearly 
also 

fc k 

|| eW || 2 = | je (fc)|j2_ ^ e 2|| 6 *|| 2 < M (fc)2_ ^ e 2 \\b*\\ 2 forallfc>i 

2=i+l 2=i+l 

Now if e 2 > ~, j = i + 1, . . . , fc with ^ k ~> 2 < fi^ 2 + ~ X^ =l +i 11^ II 2 we nave a tighter upper bound 

|| e W||2< M (fc)2_ ^ e 2|| 6 *||2 </i( i)2 (4 3) 

j=i+l 

This observation can now be exploited to reduce the size of the intervals in which the ej's lie. For all 
i = 2, . . . , n, we derive factors Aj(ej) € H depending on a, such that |je^ -1 ^ || < A i (ei)fj,^~ 1 ' > and consequently 
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< Ai(ei)^-. Let us define 



:= -J^r, * G N. (4.4) 

4 4 

We obtain the following lemma 
Lemma 4.1 7/c 2 > |, then we have 

^-c?\\bn 2 <Ai(c).^-w. 



Proof: We have to show that 

;2 1 \ , . /„-2 



c 2 U (<_1)a - 



Since u« 2 - ±||6*|| 2 < M (i_1)2 , it is sufficient to show that 



This is true since 



7 4) (^ )2 ->:ii 2 )<(?-c 2 ) (>->*ii 2 



□ 

We can now prove the core lemma, which gives the factor by which the error vector is smaller than the 
covering radius. 

Lemma 4.2 Under the previous assumptions and notations: 

|| e ('-D||a< 4^).^*-^. (4.5) 



Proof: We separate the two cases where |e» ] < |, |e,| > | respectively. If |e,-| < |, then A 2 (ei) > 1 and the 
proposition follows by ||e^ _1 ^|| 2 < /i^ -1 ) 2 . If |e<| > s, the claim follows from 

|| e (i-i)||2 = || eW || a _ ^11^112 < M (i)a_ e 2|| 6 j|| a) 
and Lemma [47T1 □ 



So with ! | 6* x | 2 < He^- 1 )!! 2 < Af{e t ) ■ jit^" 1 ) 2 and tfp-^s < ^f- we immediately obtain the following 
bound. 

Corollary 4.3 Using the notation from before, 

, / i 2 1\ , o (* - I) 2 ^ * 2 (i - l) 2 



So we define 

T£ := {(ei, . . . , e n ) € T„ : Equation (gU) holds for all i = 2, . . . , n}. 

We are interested on an upper bound on the volume of T' n giving us an upper bound on the number of points 
we have to enumerate to get the closest vectors. Let us first assume that n is even. Clearly 

n/2 

T 'n C K ■= 0{(e 2 i-i,e 2i ) G K" : Equation flM} holds }. 

i=l 
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The volume of T% can be computed as the product of the volumes of the 2-dimensional ellipses. 



i=l 

As 



Vi 2 - 1/4 y V 47 fi V^ 2 - 1/4 




We obtain 

vo1(T;')<2(|) n!. 

In the case where n is odd consider 

1 (n-l)/2 

C := {|ei| < -} ® (g) {(e 2l , e 2l+1 ) G M™ : Equation gj) holds }. 

i=l 

The volume of T'" then is 

T !+1/2 



i=l 



V(2* + l) 2 -l V4 7 11 + V2) 2 - 1/4 



As n, ( ™7 1)/2 -T=== < n, ( "7 1)/2 "7= we get the same bound 

lU=1 ^(i+l/2) 2 -l/4 1U=1 Jt 2 -l/4 



/7T\ ™/ 2 

vol CO < 2 n!. 



Theorem 4.4 Given a dual HKZ basis B of a full rank lattice C C R" a/Z closest vectors to a given point 
t G K" can 6e found by recursively enumerating at most 2 (-|) n ^ 2 n! lattice points. 

So with \PkJA. ps 0.886 we get an exponential gain of roughly 0.886™ compared to the original considerations. 



5 Further improvement 

Recall the starting point of the considerations of the previous section. We have an upper bound on ||e^|| 2 : 

||e«|| 2 < M « 2 - £ e 2 ||6*|| 2 . (5.7) 

Note that the bound (15. 7|) is decreasing with increasing e/s and in fact if they satisfy \ej\ > \ then as in 
Equation (|3~3jl . 

M (fe)2 - E e 2 ii^ii 2 <^ )2 . 

j=i+l 

In the original approach (see Section [3]), only the case k — i was considered. In Section |4] we considered the 
case where k = i + 1 and we got that 

||e«|| 2 <A 2 +1 (e 4+1 )-^ )2 , 
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where A? +1 (a+i) :— e f+i) (^~T^ i) • From that we derived that pairs of coefficients (ej, ej+i) 

lie inside a 2-dimensional ellipsoid of volume \ [i + l) 2 y ^tj- The goal of this section is to generalize this 



4 V 1 I y i+2 

method to more than just 2-tuples of coefficients. Consider 



||e<'-«f = ||e«)|| a -e?||W a < A? +1 (e (+1 ) ■ „«» - e ?K|| 2 



So under the condition that .$ e / r > \ , by Lemma 14.11 we have 



\\e^f < Al +1 {e l+1 )Aj ( J ) ^ 

\A i+1 {e i+1 ) J 



2 

)2 



Note that if |e i+ i|,|ej| > | , A? +1 (e i+ i) < 1 and A\ ^ ? ^(e^) ) < L Clearly the bigger |e i+ i|,|e;| the 
smaller the bound on ||e^ -1 )|| becomes. 

Definition 5.1 For e n , . . . , e\ recursively define C 2 +1 , . . . , C\ by 

2 2 _ J 1 i/|ei-i| < |, 

C n+1 :- 1 «W :- j C 2 A ^ dse 

Note that Cf < 1 for all i. 

Proposition 5.2 For i = n, . . . ,2 we have 

We^f <Q>(-i)2. 

Proof: The proof goes by reverse induction on i. For i = n — 1 the result follows by Proposition ^. 21 Assume 
the results holds for i. If | e»| < |, C| = 1 and the proposition follows trivially. For the case | e»| > |, note 
that 

||e(i -D ||2 = ||eW||a _ e?| | 6 *n 2 < c ^ i/i(i ) 2 _ e2| | 6 * ||2 = c2fi/lW2 _ e2||6 *n 2 _ 

We also have that > \ and with Lemma 14.11 

c&i (V i)2 - ^H b *l 2 ) ^ (^) ^~ 1)2 - c ^ (4 - 1)2 . 

□ 

With the Transference Theorems the following corollary follows immediately: 
Corollary 5.3 For i = n, . . . , 2 we /iave 



Under the assumption that a few consecutive e^'s are at least one half in absolute value, e.g. |ejt|, . . . , \ei\ > i, 
the next lemma will give a closed form expression for Ci depending on e^, ■ ■ • , &%■ As a corollary of the next 
lemma and Proposition 15.21 we will see how e&, . . . , ej satisfy a (k — i + l)-dimensional ellipsoid equation. 

Lemma 5.4 Lei n > fe > i > 1. Under the assumption that |ejt|, . . . , |ej| > i and either k = n or \&k+i\ < 5 
we /love 

rrfe if. fe / i-p-i £ \ 1 

£i2 _ ^ij=J 4 I „2 lli=i 4 1 „ 2 1 



llj=i I X ~ 4 J J=*+l V Hi=iV4 4^ 



4 4 
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Proof: We go by reverse induction on i. The case i = k follows by definition. Assume the result holds for 
i + 1. Then 

r 2 - a 2 ( 6i 1 r 2 - r 2 S r 2 1 

Plugging in C 2 +1 immediately gives the result. □ 



Note that from e^ 2 < C 2 +1 /i < - l - )2 and the Transference Theorems we obtain e 2 < ^-C 2 +1 . So under the 
condition that |efe|, . . . , |e<+i| > \ we have that 



n fe ii fc / n-J" 1 

1 lj=i+l 4 V"~^ I 2 llj=»+l 4 



2 

4 4 



e * s 4 lnU(4-i) "^rnuiT? 1 *).'"*'^-^ • <5 * 9) 

The following corollary follows immediately. 
Corollary 5.5 // |ejfe|, . . . , |e,+i| > | /or 1 < i < fc < n, then 



e. 



nU(f-i);-nU (4-1) 



As in Section[Hwe now define a set S n such that all closest vectors to t are in {t — Y^j=i e j^j '■ (ei , . . - , e n ) G 
■V,|: 

(ei, .. . , e n ) e T„ : |e»] < - • C i+ i 
Note that by Corollary 15. 3[ 5„ has the desired property. 

5.1 Bounding the set S n 

We will now bound the number of elements in S n . Clearly 

S n C S' n := |(ei, . . . , e„) G K" : M < 1 • C, +1 , i = 1, . . . ,n 

For k = 1, . when Cfe+i = 1, define afc = vol and set ao = 1. Clearly a\ = 1 and a„ = vol(S^). 
Further define 

1 for j = fc, 

vol {(e-, + i, . . . , efc) € M*^' : Equation (pTTU)) holds} else. 



:= 

For a given element (e±, . . . , ek) € K fc we can define 



t : = max {i : C, = 1} = max i : |e»| < — \ , 



Ki<k Ki<k 

allowing to write 

a k = s r-lK,fc- 

We can now partition S' n into disjunct sets, depending on the possible values of t, as 

S 'k = U I ( e i» • ■ • , e fe ) e K fe : |e,| < ^ • C m and max {» : C< = 1} = t 

l<T<fe k 

So in the case where Ck+i = 1, we have 

i<j<fc 
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In particular 

vol(S' n ) =a n = ^2 a j-i v j,n- 

l<J<n 

Using the well known formula for the volume of an ellipsoid, Vj,k can be computed (see Appendix [SJ as 



V, 



3,k 



2 



tzi + A j!2 fc --? \j + 1 / \k + 1 



Clearly 

/7r\( fe -i)/ 2 1 fc! fk + 1\ 1/2 

- uJ . ,)7 {j+tj ■ 

Plugging this into Equation (|5.11[) . for k = 1, . . . , n we get 
which leads to 



— E 

+ 1 fri. 



/ A \ fe / 2 1 / A \ i'/2 I 



— E 
+ i 4-". 



< - 

~ k . 

i<j<k 



v7i' V 71 "/ r f*=i + 1 



So we have a recursively defined upper bound for a k . We will now derive a nicer recursion, the goal to upper 
bound ak remains the same however. Define 

a k (A\ kl2 
crt := ; — for k = 0, .... n. 

vT+T(fc + i)!W 

As ao = 1, we get the following recursive relation 

[ 1 for fc = 0, 

ak -\ T&Ej-xHfey ***>!■ 



So setting so : = 1 and 

i k 

Sfc: "* + iftr(^ + i 

then crfc < Sfc and it is enough to derive an upper bound on We can define the following sequence for 
n > 2: 



> 



jogjn 1 (n + 2) log(n + 2) 1 | log(7r/4) 
n log n In n log n log n 2 log n 

log ( S „v^(n + l)!(V4)" /2 ^ 

log « n 
n log n ' 



> * '- (5.12) 

nlogn 



where Eq. (pTT2j) is valid because (n + 1)! < e ( B ^) n+2 ■ Then 

vol(S;j = a n <n c "". 

Deriving any useful and provable explicit bound on s n , and therefore on c„, seems to be a nontrivial task. 
However, numerical computations of c n suggest that c„ < 0.75 for 10 < n < 2000 (compare Figurc[T]). 
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Figure 1: The behaviour of c n for 10 < n < 2000. 



6 Hermite factor 

In this section we will point out the influence of the hermite factor of the dual lattice on the running time 
of the algorithm. While the considerations in the previous section give a reduction in the running time for 
all lattices, this section will only give an improvement in the case where the length A x of a shortest vector 
in the dual lattice satisfies A x > (vol (£ x )) 1//n . Let 

Ai(£ x ) 



a:= V7(£ x ) 



(volOC*)) 



l/n ' 



denote the hermite factor of the dual lattice £. Now consider the following bound on the length of the error 
vector e 

\\4 2 = zlWA\ 2 + --- + e 2 n \K\\ 2 < Q) 2 KII- (6-13) 

Again the number of coefficients satisfying this inequality can be approximated by the volume of the ellipsoid: 



V := 



(ei, . . . , e n ) € R n : v = t - £ e 3 b* e £ and ||£ ejb*\\ < ^\\K 



i=i 



r n/2 



it" 1 " fn\ Tl 1 1 &* 1 1 n 

= r(n/2 + i) UJ UU\\b*W (6A4) 

77^) and Il"=il|6jll = vol (£) = ^rfc^- 

(6.15) 



Note that if B = [bi,...,b n ] is dual HKZ reduced, then ||6 n n — j 
Consequently 

\K\\ n = /vol(£^)^"_ ^1^" 

n-=iii&:ii Wi(£ x ) 



ii 




Figure 2: Histogram of hermite factors of random lattices with 200-bit prime determinant and dimension 30. 



So 



V 



(ex, ...,e n )eW l :v = t-J2e j b*e£ and ||£>A* II ^ ?H & n 



/7T\"/2 1 /n\ 

uJ r(f + 1) I2J 



"n\ n / 1 
, a 



(6.16) 



While a can be smaller than 1, the Gaussian heuristic [12] suggest that it is bigger than one: 

,1/n 



Ai(£ x ) 
(vol£ x ) 1 A. 



r(| + i) 



(6.17) 



In fact tests with random integer lattices in the sense of Goldstein and Meier [6] suggest that the heuristic 
is quite tight for higher dimensions (> 30). E.g. for dimension n = 30, the Gaussian heuristic suggest that 
a ~ 1.43, which is supported by the histogram in Figure |6] Assuming that this is in fact the case and 
plugging in the Gaussian heuristic into formula (|6.16|) , wc obtain 



V = 



/7T\ "/2 l /n\ n 1 I 

\1) f7§ + 1) \ 2J 



+ V2/ \aj V 4 
So in this case, the average number of points to be enumerated would be 

1 



)2n 



i/2 



(6.18) 



7 Kannan's algorithm 



In this section we quickly review Kannan's algorithm and the complexity analysis done by Hanrot and Stehle 
[7J[5]. In contrast to Blomers approach, Kannan's algorithm takes as input a HKZ reduced basis B. Let 
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e = ex 6* + • • • + e n b* again denote the error vector v — t. Hanrot and Stehle in their analysis use the fact 
that 

ei\\K\\ + ■■■+ 4\m\ < \ Eii^rii 2 < \ ™« jwf- (7.19) 

' 1 

Clearly the volume of the ellipsoid defined by Equation (|7. 19|) depends on the lengths of the Gram-Schmidt 
vectors. Let us define C(0) := 1 and for k > 1 

C(k) := |{(ei, ...,e t )el l : Equation (TH^l) holds} |. 

We derive a recursive bound for C(n): Let r := argmax !<.,■<„ || 6* ||. Then we have the following inequality 

el\\b%\\ + ■■■ + el\\b* n \\ < e\\\b\\\ + ■■■ + e 2 Jb*J < J||&;|| 2 . (7.20) 

As B is HKZ reduced, also the n — t + 1 dimensional lattice ir T (B) is HKZ reduced. Consequently by 
Hermite's [12 bound we have that 



\\b* T \\<^^^;o\{n T (C)) 1/{n - T+1) - 

Let us consider 

C(t,u) := |{(e T) . . . ,e„) G R"" T+1 : Equation (17301) holds} |. 
We can compute the volume of C (r, n) using the Ellipsoid formula 

7r("- r+1 )/ 2 /Tt>,(n-r+l)/2 

- r(==5±i+i) UJ n; =T ii6*n 

7r (n-r+l)/2 , n . (n-r+l)/2 ||&* || n -' r + 1 



r(^f±i + l)V4y vol(7r T (£)) 



4/ r(2 



Consequently we get 



C(n) < C{t - l)C(r, n) = C(r - i)2 c («-T+ 1 ) n ("- T + 1 )/ 2 , 
for some constant c. This gives 

C [nj < 2 n 1 , 

for some constant d . As in the previous section we can state the result in the case where the Gaussian 
heuristic is reached, i.e. ||6*|| = — 2 ^= ■ vol {ir T {C)) 1 ^ n ~ T+1 \ This gives 

, („- T+ l)/2 

C(r,n) = y 
and _ 
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8 Conclusion 



We have seen that given a dual HKZ-basis, we can solve the closest vector problem using the approach by 
Blomer [4] by enumerating n Cnn lattice points, with c n < 0.75 for 10 < n < 2000. Kannan's algorithm runs 
faster, as refined analysis thereof implies [8j. Using Kannan's algorithm, which as input takes a HKZ-basis, 
it is enough to enumerate n n / 2 +°( n ) lattice points. On the other hand we have seen that if the shortest 
vector of the dual lattice satisfies the Gaussian heuristic, the transference theorems imply that is enough 
to enumerate all lattice points inside a ellipsoid of volume m order to find the closest vectors. If 

the same assumption is made for all gram-schmidt vectors of the HKZ-basis used in Kannan's algorithm, 
the closest lattice points lie inside an ellipsoid of volume (^P) ■ Referring to the case where the Gaussian 
heuristic as tight as average case, Table [T] gives an overview on the complexities. 



Approach 


original 


refined (worst case) 


refined (average) 


Kannan 


n n+o(n) 


2 0(n) n n/2 


2 -2r lrl n/2 


Blomer 


n\ 


n c n n 


2 -n n «/2 



Table 1: Overview on the number of points to enumerate. 



A Computation of V T ,k in Section [5] 



< 



fc-T+1 . 1/2 



v T , k - r(h=L ^^\ 77 1/2 1 n 

1j"=t+2 I 4 4 



fc-7 

fc-T / k j 



,( fc - T )/2 / r + l \ fc -, „ , 

r(^ + i)l 2 ) l,ii 2 -i) 1/2 

( r+ l)fc-T-l( r+1 )l 11 11 i 

v ; v ' j=T+2i=T+2 2 

k\ ( (r + 2)k \ (k - T)/2 /r + l\ {k - T - 1)/2 fk+1 



a-! A A (?-*) 



Y (h^L + \) T \2 k - T \{t + \){k + 1) J \t + 2J \t + 2 

^.(fe— t)/2 fc, / fe + 1 \V2/ fc \C*-r)/a 



1/2 



T + i) r!2 fe - T Vt + 1>/ V fc + 1 

^(fe-r)/2 fc! / fc \Va 



r(^ + l)r!2 fe - r V^ + i, 
'7r\(fc-^)/2 1 fc! / k N 1/2 
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